Pages

Thursday, April 26, 2012

United States is presently engaged in
serious cyber
security initiatives at national and international levels. At the
national level, the Cyber Intelligence Sharing and Protection Act
(CISPA) has been proposed to be enacted. It is claimed that CISPA
would boost the cyber security capabilities of US.

The Administration is committed to
increasing
public-private sharing of information about cybersecurity threats as
an essential part of comprehensive legislation to protect the
Nation's vital information systems and critical infrastructure. The
sharing of information must be conducted in a manner that preserves
Americans' privacy, data confidentiality, and civil liberties and
recognizes the civilian nature of cyberspace. Cybersecurity and
privacy are not mutually exclusive. Moreover, information sharing,
while an essential component of comprehensive legislation, is not
alone enough to protect the Nation's core critical infrastructure
from cyber threats. Accordingly, the Administration strongly opposes
H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its
current form.

H.R. 3523 fails to provide authorities
to ensure
that the Nation's core critical infrastructure is protected while
repealing important provisions of electronic surveillance law without
instituting corresponding privacy, confidentiality, and civil
liberties safeguards. For example, the bill would allow broad sharing
of information with governmental entities without establishing
requirements for both industry and the Government to minimize and
protect personally identifiable information. Moreover, such sharing
should be accomplished in a way that permits appropriate sharing
within the Government without undue restrictions imposed by private
sector companies that share information.

The bill also lacks sufficient
limitations on the
sharing of personally identifiable information between private
entities and does not contain adequate oversight or accountability
measures necessary to ensure that the data is used only for
appropriate purposes. Citizens have a right to know that corporations
will be held legally accountable for failing to safeguard personal
information adequately. The Government, rather than establishing a
new antitrust exemption under this bill, should ensure that
information is not shared for anti-competitive purposes.

In addition, H.R. 3523 would
inappropriately shield
companies from any suits where a company's actions are based on cyber
threat information identified, obtained, or shared under this bill,
regardless of whether that action otherwise violated Federal criminal
law or results in damage or loss of life. This broad liability
protection not only removes a strong incentive to improving
cybersecurity, it also potentially undermines our Nation's economic,
national security, and public safety interests.

H.R. 3523 effectively treats domestic
cybersecurity
as an intelligence activity and thus, significantly departs from
longstanding efforts to treat the Internet and cyberspace as civilian
spheres. The Administration believes that a civilian agency – the
Department of Homeland Security – must have a central role in
domestic cybersecurity, including for conducting and overseeing the
exchange of cybersecurity information with the private sector and
with sector-specific Federal agencies.

The American people expect their
Government to
enhance security without undermining their privacy and civil
liberties. Without clear legal protections and independent oversight,
information sharing legislation will undermine the public's trust in
the Government as well as in the Internet by undermining fundamental
privacy, confidentiality, civil liberties, and consumer protections.
The Administration's draft legislation, submitted last May, provided
for information sharing with clear privacy protections and strong
oversight by the independent Privacy and Civil Liberties Oversight
Board.

The Administration's proposal also
provided
authority for the Federal Government to ensure that the Nation's
critical infrastructure operators are taking the steps necessary to
protect the American people. The Congress must also include
authorities to ensure our Nation's most vital critical infrastructure
assets are properly protected by meeting minimum cybersecurity
performance standards. Industry would develop these standards
collaboratively with the Department of Homeland Security. Voluntary
measures alone are insufficient responses to the growing danger of
cyber threats.

Legislation should address core
critical
infrastructure vulnerabilities without sacrificing the fundamental
values of privacy and civil liberties for our citizens, especially at
a time our Nation is facing challenges to our economic well-being and
national security. The Administration looks forward to continuing to
engage with the Congress in a bipartisan, bicameral fashion to enact
cybersecurity legislation to address these critical issues. However,
for the reasons stated herein, if H.R. 3523 were presented to the
President, his senior advisors would recommend that he veto the bill

However, the recent
events have shaken up Indian government
completely and it
is planning to demand that companies like Google, Facebook, etc must
establish servers in India. Further, conflict
of laws in Indian cyberspace may also require
establishment of servers of Google, Facebook, etc in India.

In these circumstances, Indian
government can
consider enactment of more stringent norms to regulate social media
websites in India. In fact, many US based companies and websites are
already facing legal
proceedings in India. Additionally, Indian
government can
mandatorily require US companies and websites to install servers in
India so that objectionable contents can be regulated, monitored and
deleted at Indian soil itself.

Another related project in this regard
is National
Cyber Coordination Centre (NCCC) of India. The
NCCC would
provide actionable alerts to government departments in cases of
perceived security threats. It is hoped that this would help in
fighting terrorists and other cyber criminals. The NCCC will scan
whole cyber traffic flowing at the point of entry and exit at India's
international Internet gateways.

All tweets, messages, emails, status updates and
even email drafts will now pass through the new scanning centre. The
centre may probe further into any email or social media account if it
finds a perceived threat.

If foreign websites fail to comply with
Indian laws,
there is nothing wrong to ask them to establish servers in India.
However, big
brother must not overstep the limits and must
act within
the constitutional limits that it is presently transgressing openly
and in an uncontrolled manner.

Foreign companies like Google, Yahoo,
Microsoft, etc
and social media websites like Facebook, Twitter, etc are
continuously made parties to various civil and criminal proceeding
world over. Even in India, foreign websites and companies have been
constantly prosecuted for violation of various Indian laws.

Perry4Law
and Perry4Law
Techno Legal Base (PTLB) believe that India must
take
urgent steps so that companies and websites like Google, Facebook,
etc and social networking websites comply with legal demands as per
Indian laws as well.

(1) All subsidiary/Joint ventures companies in
India, especially those dealing in information technology and online
environment, must mandatorily establish a server in India. Otherwise,
such companies and their websites should not be allowed to operate in
India.

(2) A stringent liability for Indian subsidiaries
dealing in information technology and online environment must be
established by laws of India.

(3) More stringent online advertisement and
e-commerce
laws in India must be formulated for Indian
subsidiary
companies and their websites.

In any case, companies and websites
that have Indian
existence and are deriving financial gains from India must adhere to
India’s laws that they are currently flouting. The Telecom
Regulatory Authority of India (TRAI) has recently suggested the
National
Telecom Policy 2012 of India. It has suggested
many
important reforms and changes some of them can apply to foreign
websites and social media websites.

It is high time that foreign companies,
websites and
social media platforms must fall in line with Indian laws. Otherwise,
stringent regulations may follow that would not be beneficial for any
individual and organisation.

Cyberspace and Internet has made it
possible to
access single information from multiple jurisdictions. It is also
possible that for a single transaction, multiple countries may
exercise jurisdiction. In other words, the conflict of law in
cyberspace is most complicated in nature and very difficult to
resolve.

The validity
of electronic legal notices in India and DMCA
notice from
India to other jurisdictions through e-mails is now well established.
This makes it very easier to engage in legal proceedings from India
to multiple jurisdictions. Similarly, Indian citizens and companies
may also be involved at multiple jurisdictions in various civil and
criminal proceedings.

Further, the position of US
companies, India, conflict of laws and criminal liabilities
has also become clear these days. Even in the case of cyber laws, US
companies and courts are applying US standards and are not following
Indian standards. This is a classic situation that is occurring due
to conflict of laws. This is also the reason why an international
cyber law treaty is required to bring harmonious application of cyber
law principles.

The FDI limits in telecom services, ISPs and telecom infrastructure providing sectors of India under consolidated FDI policy of India 2012 has been totally revamped. Many national security related issues have been made part of the same.

FDI in the licensee company/Indian promoters/investment companies including their holding companies shall require approval of the Foreign Investment Promotion Board (FIPB) if it has a bearing on the overall ceiling of 74 percent. While approving the investment proposals, FIPB shall take note that investment is not coming from countries of concern and/or unfriendly entities.

It has also been cleared that FDI shall be subject to laws of India and not the laws of the foreign country/countries. This would avoid agitating of all possible future telecom disputes at international level through arbitration proceedings or other modes.

Let us see how telecom sector of India reacts to the present FDI in telecom sector of India.

Wednesday, April 11, 2012

Crackers and cyber criminals are increasingly targeting power and energy companies for their nefarious activities. One of their favourite targets is the smart meter that can be manipulated to show wrong readings.

Cyber criminals are reprogramming smart meters so that they report less power consumption than actual one. To do so they are charging fees from the people who desire to get their smart meters tempered with to reflect low power bills.

The intended purpose of use of smart meters is to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. Smart grid technology also holds the promise of improving a utility's ability to remotely read meters to determine electric usage.

Cyber criminals can manipulate the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the laptop. Once this connection is made, cyber criminals can change the settings for recording power consumption using software that are freely available on the Internet.

The manipulation of smart meters occurs by exploiting the optical port of the meter. The purpose of optical port is to enable the technicians to diagnose problems in the field without removal, alteration, or disassembly of the meter. However, this feature also allows crackers and cyber criminals to exploit the port.

Sunday, April 1, 2012

Indian Parliament is not dealing with information and communication technology (ICT) related issues properly. This is more so regarding legal enablement of ICT systems in India. Since a dominant majority of members of Parliament are not aware of the technological aspects of laws, they never pay attention to crucial laws pertaining to cyber law, e-commerce, e-governance, e-health, etc.

Naturally, these technology driven laws are either not enacted at all or they are enacted without any deliberations or debates. For instance, the IT Amendment Bill, 2008 was passed by both Rajya Sabha and Lok Sabha without even a discussion or debate. This shows both indifference towards and lack of knowledge about technology laws on the part of members of Parliament.

There is an emergent need to streamline Indian Parliament through use of ICT for all purposes, including law making. Parliament of India has to be more technology enabled and technology guided.

For instance live telecasting of the proceedings of Parliament, maintaining of websites by Parliament, etc are some of the examples where ICT has been used by Indian Parliament. However, Indian Parliament has to cover a long gap before it can be safely called fully ICT compliant.

Blackberry, Gmail, Skype, etc have been asked in the past by Indian government to provide their services in India in such a manner that intelligence agencies of India can snoop at will and without any problem.

Intelligence agencies of India have been insisting upon use of 40 bits encryption alone that is easy to crack in case a need arises. However, deploying a 40 bits encryption is risky for cyber security, Internet banking, e-commerce, e-governance, etc.

There is no second opinion that an encryption policy of India is needed that clearly demarcates the legal as well as illegal uses of encryption in India. The information technology act 2000 (IT Act 2000) incorporates a single provision in this regard and even that provision has remained dormant for many years. The fact is that we have no dedicated encryption laws in India to address the growing requirements of encryption usages in India.

Now it has been reported that the Standing Committee on Information Technology has shown it displeasure with the Department of Telecommunication (DoT) for delay in resolving the BlackBerry encryption issue. This is despite the fact that the Indian government formed a committee to come up with mechanism to deal with encryption issues for providing data access to security agencies.

However, the Standing Committee has considered constitution of such committee as another delaying tactics and nothing more. The Standing Committee has asked DoT to analyse the position internationally in this regard and act upon it appropriately.

DoT has already declared its intentions to establish the central monitoring system project of India as well as a mechanism to tap phones in India. However, this entire exercised has failed to address the “constitutional issues” that have been ignored by both Standing Committee and DoT.